Graph and PowerShell Blog

The best way to protect users in Azure is to enable 2 factor authentication, but this can take time to setup and enforce for all users. One of the extra checks you can perform is to look at the Azure sign-in logs using MS Graph. This will give you a list of logons to all Azure services, showing the username, country and IP. Using this information Microsoft provide alerts for suspicious logons, for example where a logon was detected from a country not normally seen.

These alerts can be very useful but oddly this only works where the records shows an IPv4 address, if the user logged on using an IPv6 address it will not detect the country. So using a PowerShell script we can do the following:

• Report on all users logged in successfully in a 24 hour period.
• Do IPv6 country lookups, something Microsoft does not currently do.
• Exclude certain countries from the report, eg you might not be interested in logons from your home country.
• Send an alert email if suspicious logons are detected.

Image of logons detected

↑ Alert email to show logons from certain countries.

For IPv6 lookups we can use IP-API.com to get their location:

$iplookup = Invoke-RestMethod -Method Get -Uri "http://ip-api.com/json/$r_ip"
$countryname = $iplookup.country
$city = $iplookup.city

For the country's flag you can download all of them through GitHub and then reference them via their 2 letter country code (ISO 3166-1).

Finally we can keep track of successful and failed logons per day by outputting to a log file which can then be read by the PowerShell script and displayed in a HTML page. Each bar links to an Excel report listing all the logons.

↑ Table of all logons per day.

Graph and PowerShell Blog	Articles 2024 Advanced Postfix configuration Installing Exchange 2019 in Azure Landing Zone Upgrading PHP on Windows Adding a Postfix server for relay to O365 O365 Integrated Apps troubleshooting Domino and O365 Co-existence Delegate Control in AD App mail relay via HVE Setting up Mail Relay with HVE Getting BIMI certified Orbea Occam SL H30 Installing FreeSat and Saorview Changing broadband provider Replacing a DIN timer on fuseboard Outlook Desktop Notifications stop working Outlook folders keep moving sort order Teams report uploading to SharePoint with Runbooks Teams PowerShell module can't run CS cmd as App 2023 Cannot map new Shared Mailboxes in O365 Renewing an Exchange 2016 certificate Connect to Compliance PowerShell behind a Proxy Sensitivity Label not shown in Outlook Client Room Finder Error in Outlook Teams not showing Rooms Teams unable to open file Unable to review quarantined mails for shared mailbox Set Locale for various Apps Delegate Sent Items placed into external Tenant Overview of Microsoft Support cases When centralized mail sends via O365 Cleaning up your Windows DNS server Set OneDrive for Business Locale O365 Migration Tips Reporting on successful Azure logons IIS Mapi Queue full with NetScaler Secure Office365 reports with a certificate Using Graph to send emails with inline images Visualizing Graph data with Google Charts Keeping a log of NetScaler AlwaysON connections \| About \| Links

Reporting on successful Azure logons 06-Mar-23 The best way to protect users in Azure is to enable 2 factor authentication, but this can take time to setup and enforce for all users. One of the extra checks you can perform is to look at the Azure sign-in logs using MS Graph. This will give you a list of logons to all Azure services, showing the username, country and IP. Using this information Microsoft provide alerts for suspicious logons, for example where a logon was detected from a country not normally seen. These alerts can be very useful but oddly this only works where the records shows an IPv4 address, if the user logged on using an IPv6 address it will not detect the country. So using a PowerShell script we can do the following: • Report on all users logged in successfully in a 24 hour period. • Do IPv6 country lookups, something Microsoft does not currently do. • Exclude certain countries from the report, eg you might not be interested in logons from your home country. • Send an alert email if suspicious logons are detected. ↑ Alert email to show logons from certain countries. For IPv6 lookups we can use IP-API.com to get their location: $iplookup = Invoke-RestMethod -Method Get -Uri "http://ip-api.com/json/$r_ip" $countryname = $iplookup.country $city = $iplookup.city For the country's flag you can download all of them through GitHub and then reference them via their 2 letter country code (ISO 3166-1). Finally we can keep track of successful and failed logons per day by outputting to a log file which can then be read by the PowerShell script and displayed in a HTML page. Each bar links to an Excel report listing all the logons. ↑ Table of all logons per day.